Identity Crisis

Zach Friesen was just 7 years old when his identity was stolen. He had no idea anything was wrong until 10 years later, when a standard background check for a stock clerk job revealed that someone had used Zach's personal information to buy a $40,000 houseboat but never paid for it, ruining the then-17-year-old's credit rating.

"At the time, I didn't even know what a credit rating was," says Zach — but learning that his had been compromised left him angry and frustrated. Both Zach and his mother spent weeks on the phone with banks, credit bureaus, and the police in an effort to clear his name. On average, victims of identity theft spend from 300 to 600 hours trying to clean up the mess, according to the Identity Theft Resource Center (idtheftcenter.org).

Now a 21-year-old senior at the University of Colorado, Friesen travels to high schools around the country to teach students about identity theft. According to a 2005 survey by the Chubb Group, one in five Americans have had their identity stolen; and in 2006 another 15 million joined them, reports the research firm Gartner, Inc. Though kids represent a small percentage of victims overall, that number is climbing — from 3 percent of all identity fraud in 2003 to 5 percent in 2006, according to complaints filed with the Federal Trade Commission (FTC). And experts say that figure is likely low, because the number of people who take the step of filing an ID theft report with the FTC is believed to be much smaller than the actual number of victims.

Since then, Friesen says, he keeps a close watch on his bank statements and credit reports, and never carries more than his driver's license and a couple of credit cards. Like most people, he has never been able to pinpoint how the security breach occurred. The causes of most identity theft can't be conclusively traced, says Mari J. Frank, author of From Victim to Victor: A Step-by-Step Guide for Ending the Nightmare of Identity Theft (Porpoise Press) and founder of the Web site identitytheft.org.

Whether it's someone reaching across the Internet or directly into your life by stealing your mail or discarded papers, you need protection. Arm yourself by learning how identity thieves operate.

Hooked by Phishers

It was Christmas Eve 2003 when Nancy Boyle, 52, decided to check her bank account online to make sure there was enough cash to cover a last-minute shopping trip. But instead of finding $1,800 as she expected, she had a zero balance.

Nancy and her husband, Dan, the parents of four grown kids, had been robbed by phisher scammers. Weeks earlier she'd received an e-mail that looked like it was from her bank, warning her about possible fraudulent activity on her account and urging her to log in and confirm her personal information. But the e-mail was actually from phishers, who linked her to a bogus Web site that looked just like her bank's. The scammers used that info to clean out her available funds.

Unfortunately, the Boyles are not alone — Gartner, Inc., estimates that 3.5 million Americans have fallen prey to phishers. Victims lost more than $2,800 on average in 2006, and have recovered only 54 percent of their money.

Nancy was lucky. She reported the fraud to her bank the next day and her money was refunded quickly. She had to file a police report, close all of her accounts, then open new ones. Her eBay user name had also been snatched by the thieves, who were trafficking in stolen goods on the strength of her reputation — she and Dan operate a home decorating business in Wisconsin — so she had to contact eBay's corporate office too. Once that was straightened out, the Boyles thought they had put their problems behind them. But exactly one year later, on Christmas Eve 2004, Nancy checked her new account. This time $2,400 had been taken. She'd been victimized by a keylogger — a piece of software that detects when you visit a banking site, captures your keystrokes, then sends the data to crooks who extract user names and passwords. The Boyles promptly installed security software to prevent future incidents.

Hacked @ Home

A manager at a nonprofit in Washington, D.C., Lori was shopping for holiday decorations in December 2004 when — much to her surprise — her debit card was declined at two different stores. She decided to stop by her bank and within minutes the branch manager informed her that her identity had been stolen, along with the $3,100 in her account.

"I had tears rolling down my face," says Lori. But her troubles were only beginning. As her paychecks were automatically deposited, the thief would siphon off more money. Lori finally got the bank to freeze her account but had to wait 45 days to be reimbursed, during which time she incurred roughly $300 in penalties for insufficient funds (which were not refunded). Six months later she was still struggling to set everything right.

Lori believes the thief tapped into her home wireless network. "My ATM card had never been lost or unaccounted for, and I didn't carry a checkbook, but I had been paying my bills online," she says. "In the end it appeared my wireless network was the only likely source."

After the theft, Lori empowered herself by taking computer courses at a community college. She still pays her bills electronically, but now she runs the latest security software and relies on encryption programs to password-protect her WiFi network. She also subscribes to credit monitoring services that immediately alert her to any suspicious activity on her accounts.

The Paper Chase

Though phishing and hacking get the media attention, most cases of identity theft still happen offline. According to a 2006 survey by Javelin Research and the Better Business Bureau, more than half of victims had their credit cards or checkbooks stolen, their garbage ransacked, their personal files pilfered at work or at school, or their mailboxes raided.

San Francisco creative consultant Karen Lodrick learned this the hard way in November 2006, when a thief snagged two unsolicited credit/debit cards sent by her bank, plus documents containing PIN numbers and her Social Security Number from her apartment mailbox.

As Karen details on her Web site, fightingbacknow.com, this was the beginning of a six-month odyssey that would drain $22,000 from her accounts and cost the self-employed woman about $30,000 in lost income because she had to turn down work while she dealt with the theft. As Karen closed one false account, the thief would open a new one somewhere else. Throughout the ordeal, Karen says, her bank treated her like the criminal, not the victim.

What's unusual about this story is that Karen personally apprehended her identity thief, 31-year-old Maria Nelson. After obtaining photos of Nelson captured by her bank's security cameras, Karen spotted her virtual clone at a Starbucks and chased her through the streets into an underground parking garage, trapping her there until police arrived. Eventually, Nelson pleaded guilty to one count of fraudulently using someone else's identity and was sentenced to time already served in jail for other offenses, plus three years of probation.

"The whole thing has been surreal," Karen says. "I've had mothers come up to me and say, 'I've read your story to my daughter to teach her how to be strong.' I don't want to be known as an advocate for chasing down criminals, but I do think I'm a lesson in trusting your gut and realizing how powerful you truly are."

Your Identity Has Been Stolen — Now What?

Contact your police precinct as soon as possible to file a report; you will need this as proof for creditors that your claim is legitimate.

Get your credit reports and scour them for anything suspicious. By law, everyone is entitled to request a free report once a year; victims of ID theft are eligible for additional reports from the major credit bureaus. For detailed info, see annualcreditreport.com.

Close any accounts that have been compromised. Ask specifically to speak to someone in the fraud department at the issuing credit agency, and keep a written log of whom you have spoken to and on what date. Follow up with a letter (to view samples, go to identitytheft.org) sent via certified mail, return receipt requested, so you have a paper trail. Documenting everything is your best defense against banks or creditors who don't believe you've been victimized.

Place an official Fraud Alert on your file. This will warn banks and other creditors to exercise caution when new accounts are opened in your name. Most alerts last for 90 days, but victims of identity theft can request an extended alert that lasts for seven years.

For information on additional steps to take, visit the FTC's identity theft site at ftc.gov/idtheft.

How to Thwart ID Thieves

Never keep your Social Security Number in your wallet.

Refuse to share your SSN, date of birth, or mother's maiden name with any entity other than your employer, bank, insurance company, or the IRS. When other parties ask for this information, insist they accept a substitute such as a different date or name, or only the last four digits of your SSN.

If your mailbox doesn't have a lock, replace it with one that does or consider switching to a P.O. box.

Destroy (preferably in a cross-cut shredder, available at office supply stores) all junk mail before discarding.

Store papers containing sensitive information only in a locked cabinet or safe, not in a desk.

Request your credit reports at least annually.

Call 888-567-8688 to opt out of receiving preapproved credit or insurance offers.

Type the address of your bank's sign-on page into your browser, then bookmark it to access your account as needed.

Install security software like Norton 360 or Trend Micro PC-cillin and keep it up to date.

If you use a wireless home network, enable all security functions and choose a password that doesn't contain any obvious or logical sequences like your first or last name or your birth date.

Myths About ID Theft

Myth #1: You should order credit reports on your kids, just to be safe.
Not necessarily, says Linda Foley, executive director of the Identity Theft Resource Center (idtheftcenter.org). Request a report only if you have reason to believe your child's identity has been stolen — ideally, you will be told it's unavailable, which means his or her ID is probably safe. Otherwise, asking for a report may prompt the bureaus to create one, making it harder to convince creditors your child is not an adult if his or her identity gets stolen later. If you send an e-mail to childidtheft@transunion.com, they can tell you whether a report exists without creating one, Foley says.

Myth #2: You need to pay for credit monitoring services. Experian, Equifax, and TransUnion will gladly bill you $10 a month to monitor your account, but you can do the same thing for free with a little effort, says Beth Givens, founder and director of the Privacy Rights Clearinghouse (privacyrights.org). You can request a free credit report from each agency within any 12-month span at annualcreditreport.com. Order one from a different bureau every three months and you'll be covered at no charge.

Myth #3: You can freeze your credit only after your identity has been stolen. A credit freeze will keep anyone — including you — from opening a new account in your name. It's the ultimate weapon against ID theft, but you don't have to be a victim to get one. At press time 39 states and Washington, D.C., allowed citizens to freeze their credit for a nominal fee (usually $10 to $20, or free for ID theft victims); in the remaining 11, you may request a freeze from one of the three credit bureaus. You may also have to pay fees to "thaw" or remove the freeze when you want to add new accounts. For more info, visit Consumers Union's site: consumersunion.org/securityfreeze.htm.